On Thu, 4 Sep 2003, Ron Peterson wrote: > So I was thinking I could do this by aliasing multiple IP's to a single > interface, and filter based on the virtual interface. Can't do this, I > guess. Neither can I filter on destination IP, because the box is a > gateway, not a destination. Is there any way to filter a packet based > on which gateway ip address it was sent to, if both addresses are > assigned to the same interface? No, there isn't. And it has a simple reason: The used IP of the gateway is not transmitted in routed packets. The client resolves the gateway-address from the routing table via arp to the mac-address of the gateway-interface, which will be the same for all virtual interfaces/adresses on this interface. This mac-address is now stored in the ethernet-header of the ip-packet, with an ip destination-address behinde the gateway. A forwarded-via-gateway packet is for the gateway only: "A packet with my ethernet-address (mac), but not one of my ips" c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
